VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

NOTE Segment Infection technique

DCA E-zine #1 (html)
September 2004

[Back to index] [Comments]

1. Introduction

I was sitting around and looking at my old creations etc. and then I've asked myself : Why am I always using that old fucing S.P.I ( Segment Padding Technique) technique in my viruses !? Hm.... Because its so easy to understand and to use it.It has been used since 3-4 years.Well I think this way of infection is getting old fashioned ;)

On a sunny day I was looking at the output of readelf. And then I've realized that fucking NOTE segment is actually unusefull for the loader and for the user :-P And then came the idea : Why not inserting the virus code after the NOTE segment or even better : Why not inserting it IN the NOTE segment !? Well let us take a closer look at this idea...

2. Analyse

The ELF dodumentation says: Every executable should contain a section named ".note.ABI-tag" with sh_type = SHT_NOTE as defined in <elf.h> in the Shdr structure. If this section is missing the ELF loader will assume its a plain native executable.So removal/modifying this section should be no problem to use if we intent to execute that programm after removing/modifying the file.

In the NOTE segment you'll mostly find a "GNU" and then the kernel version of the system where the executable got compiled.Example:

	GCC: (GNU) 2.95.

So it makes sense to delete that segment/section since it isnt a important part for building the process image of file to execute it.

3. Evil plan

We'll have to change the type of that segment to type LOAD so the ELF builder can build the executable and not complaining about a segment which can be loaded...

Then we'll have to append our virus code at the end of file. I know thats quite lame but after "this is only a hack" ;) When I think about Lin32.Nf3ct0r and Lin32. Nemox we could insert that virus code even into the NOTE segment because the code isnt so big and it will fit perfectly right in that segment.

At the end we must patch some entries in Ehdr and all that Phdr and Shdr stuffs so that they can reflect the insertion of our code.First of all we must patch the old entry point with a new one:

#define ELF_BASE 0x8048000
#define ELF_PAGE_SIZE 0x1000
int new_entry_point(void)
        return ELF_BASE - 2*ELF_PAGE_SIZE +
                aligned_file_size & ELF_PAGE_SIZE;

As u know an executable has (generally) 2 LOAD segments. And those segments are aligned with 0x1000 bytes. Thats why I'm using "2*ELF_PAHE_SIZE".

In the next step we must change some info the program header of type NOTE:

int patch_phdr[Elf32_Phdr *phdr_note)
        phdr_note->p_type = PT_LOAD;
        /* we insert our virus code at the of the file */

        phdr_note->p_offset = aligned_file_size;

        phdr_note->p_memsz = phdr_note->p_filesz = sizeof(virus_code);
        phdr_note->p_vaddr = phdr_note->p_paddr //new_entry_point();
        /* have the same flags and alignment as the code segment */
        p_note->p_flags = phdr_code->p_flags;

        p_note->p_align = phdr_code->p_align;
        return 0;

4. Problems

Well this technique sounds quite interesting but there are a few problems which might occur during doing this:

5. Le fin

Well I admite that isnt a original idea , so I'm not the only one who had this wonderfull idea to do sth like this but after all I think you got the point: ELF is fuckable !!! So download an *NIX and get amused fucking ELF !!! ;) Thats all folcks ... I'm outy...

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka